PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-918"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54370.json"
}{
"source": [
"AFFECTED_FIELD",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "1.30.0"
},
{
"introduced": "3.0.0"
},
{
"fixed": "3.10.0"
},
{
"introduced": "2.0.0"
},
{
"fixed": "2.1.12"
},
{
"introduced": "2.2.0"
},
{
"fixed": "2.4.0"
},
{
"introduced": "4.0.0"
},
{
"fixed": "5.0.0"
}
]
}